Detecting Cross Site Scripting XSS Vulnerabilities With Fiddler
For those of you who have either subscribed to my Facebook profile or RHA's Facebook fan page, you might know that i have been on a mission to discover XSS on high profile websites, I have found XSS in high profile websites like Microsoft, ebay, apple, adobe, stumbleupon etc, Lots of people ask me the regarding the methodology i use in order to detect Cross site scripting vulnerabilities (XSS).
Well, honestly speaking i don't use a single tool or a single strategy in order to detect/exploit xss, My strategy involves combination of Google dorks, Automatic dork scanners and multiple free/commerical scanners in order to detect/verify/exploit the vulnerability. However, if you are targeting a high profile website, you won't find an XSS in the homepage. You need to look and discover the places where few people are searching. Your chances of detecting XSS would be really high.
With that being said, i would like to introduce you to a piece of tool that is on my XSS discovery toolkit named "Fiddler". Fiddler is a basically acts as a proxy between your computer and your internet. Fiddler comes with lots of different features, however i won't talk about other features of fiddler as it's not a part of the scope of this article. If you would like to learn more about capabilities of fiddler, i would recommend you reading the book "Debugging with Fiddler"
Here is a quick startup guide for setting and up start working with fiddler:
Watcher is a Fiddler addon which aims to assist penetration testers in passively finding Web-application vulnerabilities. The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. We chose to implement this as a plugin for Fiddler which already provides the proxy framework for HTTP debugging
Watcher is one of my favorite addons for fiddler, It automatically detects high profile vulnerabilities such as Cross site Scripting (XSS) and Open redirects.
http://websecuritytool.codeplex.com/wikipage?title=Checks
X5S
While watcher does detect some XSS, however it generates lots of false positive, therefore i also use another addon along with fiddler for detecting cross site scripting attacks, X5S is also created by the developers of watcher, however it's specially for detecting XSS, here is an official despcription:
x5s acts as an assistant to the security tester by speeding up the process of parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work by enumerating and injecting canaries into all input fields/parameters sent to an application and analyzing how those canaries were later emitted. E.g. Was the emitted output encoded safely or not? Did an injected character transform to something else?
I would recommend you taking a look at the following quick start tutorial, if you are planning to use XS5:
http://xss.codeplex.com/wikipage?title=Tutorial&referringTitle=Home